Azure users unable to log in when integrated with Confluence DC via SSO 2.0
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After following KB How to integrate Confluence DC with Azure for SAML 2.0 SSO, Azure users receive a generic "We can't log you in right now" error message when trying to log into Confluence.
Environment
- Azure Active Directory
- SSO for Atlassian Server and Data CenterData Center SSO 2.0 plugin
Diagnosis
For a given user encountering this situation while logging in, the following error appears in the application logs:
2021-12-22 19:01:27,386 ERROR [http-nio-8080-exec-5] [impl.web.filter.ErrorHandlingFilter] logException [UUID: 79a91343-3bf8-4cfb-a562-022612ebe316] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
-- referer: https://login.microsoftonline.com/ | url: /plugins/servlet/samlconsumer | traceId: e905ee736246ea42 | userName: anonymous
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:56)
at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:28)
at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:105)Investigate the SAML attributes being sent to Confluence by using a tool such as SAML Chrome Panel. Normally, the SAML reply will contain the following attribute along with a list of groups:
<Attribute Name=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"><AttributeValue>Instead of this particular attribute, however, you note that the following attribute is present for the user:
<Attribute Name=\"http://schemas.microsoft.com/claims/groups.link\"><AttributeValue>Cause
Based on Microsoft's SAML token claims reference, the groups.link attribute is a Group Overage Indicator indicating that the number of groups associated with the user exceeded a limit of 150.
As a result, this scenario has been documented in the following bug:
SAMLDC-97 - Getting issue details... STATUS
Solution
As a possible workaround, consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]). Also, ensure that this group has appropriate global permissions within the Atlassian application.